Stefan's Weblog

15Jun/180

Let’s Encrypt – Zertifikatserneuerung schlägt fehlt

Meine Nextcloud-Installation auf meinem Raspberry Pi läuft bereits seit fast 3 Monaten stabil und ohne Probleme. Auch die SSL-Verschlüsselung mit dem Let's Encrypt Zertifikat läuft gut, die Erneuerung via CRON funktioniert, dachte ich zumindest.

Kürzlich habe ich diese E-Mail von erhalten:

Hello,

Your certificate (or certificates) for the names listed below will expire in
20 days (on 04 Jul 18 10:22 +0000). Please make sure to renew
your certificate before then, or visitors to your website will encounter errors.

mydyndns.dns.de

For any questions or support, please visit https://community.letsencrypt.org/.
Unfortunately, we can't provide support by email.

For details about when we send these emails, please visit
https://letsencrypt.org/docs/expiration-emails/. In particular, note
that this reminder email is still sent if you've obtained a slightly
different certificate by adding or removing names. If you've replaced
this certificate with a newer one that covers more or fewer names than
the list above, you may be able to ignore this message.

If you want to stop receiving all email from this address, click
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
(Warning: this is a one-click action that cannot be undone)

Regards,
The Let's Encrypt Team

Es scheint also irgendein Problem mit der Erneuerung zu geben. Den Weg, den ich im Artikel ➡ Nextcloud und Let's Encrypt vorgestellt habe, scheint nicht zu funktionieren.

Ich habe auch also mal versucht den ganzen Prozess manuell anzustoßen:

sudo /etc/letsencrypt/letsencrypt-auto certonly --agree-tos --renew-by-default -a webroot --webroot-path /var/www/html/ -d mydyndns.dns.de

Anschließend habe ich die Option 3, Place files in webroot directory (webroot), ausgewählt:

How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Apache Web Server plugin - Beta (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
-------------------------------------------------------------------------------
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 3
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mydyndns.dns.de
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. mydyndns.dns.de (http-01): 
urn:acme:error:connection ::
The server could not connect to the client to verify the domain :: 
Fetching http://mydyndns.dns.de/.well-known/acme-challenge/xxxxxxxx: 
Error getting validation data

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: mydyndns.dns.de
   Type:   connection
   Detail: Fetching
   http://mydyndns.dns.de/.well-known/acme-challenge/xxxxxxxx:
   Error getting validation data

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

Im Abschnitt "Important Notes" gibt es einen hilfreichen Hinweis. Let's Encrypt versucht die Domain mit http zu verifizieren.Ich habe jedoch den Apache eingestellt, dass er ausschließlich https verwenden soll.
Das scheint also die Krux an der ganzen Sache zu sein.

Nach wein wenig Recherche in den weiten des Internets habe ich eine Lösung gefunden, die bei mir funktioniert hat. Das Zertifikat wurde verlängert.

Dazu habe ich folgendes gemacht:

Den Befehl zum erneuern des Zertifikats habe ich angepasst. Die Befehl "-a webroot" ist rausgeflogen.

sudo /etc/letsencrypt/letsencrypt-auto certonly --agree-tos --renew-by-default --webroot-path /var/www/html/ -d mydyndns.dns.de

Im Let's Encrypt Memü habeich dann die Option 1, Apache Web Server plugin - Beta (apache), gewählt.

How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Apache Web Server plugin - Beta (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
-------------------------------------------------------------------------------
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator apache, Installer None
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for mydyndns.dns.de
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/mydyndns.dns.de/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/mydyndns.dns.de/privkey.pem
   Your cert will expire on 2018-09-13. To obtain a new or tweaked
   version of this certificate in the future, simply run
   letsencrypt-auto again. To non-interactively renew *all* of your
   certificates, run "letsencrypt-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Der CRON Job ist dann natürlich auch noch entsprechend anzupassen:

#Let´s Encrypt Renew
@weekly root /etc/letsencrypt/letsencrypt-auto certonly --agree-tos --renew-by-default --webroot-path /var/www/html/ -d mydyndns.dns.de

hat dir dieser Artikel gefallen?

Dann abonniere doch diesen Blog per RSS Feed!

Kommentare (0) Trackbacks (0)

Zu diesem Artikel wurden noch keine Kommentare geschrieben.


Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Noch keine Trackbacks.

%d Bloggern gefällt das: